driver: allow admins but require high integrity label

Might be more reasonable. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
author: Jason A. Donenfeld <Jason@zx2c4.com> 2021-06-24 12:10:12 +0200
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2021-06-25 14:09:16 +0200
commit: b3bf490434c78b565c369064f371788eaecace35 (patch)
tree: 6fd02ca4be366d9b23b7b1eac362cb5ea70b1d0e
parent: driver: specify pnplockdown in inf (diff)
download: wintun-b3bf490434c78b565c369064f371788eaecace35.tar.xz
wintun-b3bf490434c78b565c369064f371788eaecace35.zip
3 files changed, 70 insertions, 8 deletions
diff --git a/driver/driver.vcxproj b/driver/driver.vcxproj
index 4457db2..915326e 100644
--- a/driver/driver.vcxproj
+++ b/driver/driver.vcxproj
@@ -96,7 +96,7 @@
       <PreprocessorDefinitions>NDIS_MINIPORT_DRIVER=1;NDIS620_MINIPORT=1;NDIS683_MINIPORT=1;NDIS_WDM=1;%(PreprocessorDefinitions)</PreprocessorDefinitions>
     </ResourceCompile>
     <Link>
-      <AdditionalDependencies>ndis.lib;wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>ndis.lib;wdmsec.lib;ksecdd.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
     <DriverSign>
       <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
diff --git a/driver/undocumented.h b/driver/undocumented.h
index 199e3c7..7f538b7 100644
--- a/driver/undocumented.h
+++ b/driver/undocumented.h
@@ -44,3 +44,23 @@ NTSYSAPI
 NTSTATUS
 NTAPI
 ZwYieldExecution(VOID);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSetSaclSecurityDescriptor(
+    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+    _In_ BOOLEAN SaclPresent,
+    _In_opt_ PACL Sacl,
+    _In_opt_ BOOLEAN SaclDefaulted);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlAddMandatoryAce(
+    _Inout_ PACL Acl,
+    _In_ ULONG AceRevision,
+    _In_ ULONG AceFlags,
+    _In_ PSID Sid,
+    _In_ UCHAR AceType,
+    _In_ ULONG AccessMask);
diff --git a/driver/wintun.c b/driver/wintun.c
index 9d87005..d7e3ef4 100644
--- a/driver/wintun.c
+++ b/driver/wintun.c
@@ -845,28 +845,70 @@ _Use_decl_annotations_
 static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID)
 {
     NTSTATUS Status;
-    SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
-    SID LocalSystem = { 0 };
-    if (!NT_SUCCESS(Status = RtlInitializeSid(&LocalSystem, &NtAuthority, 1)))
+    struct
+    {
+        SID Sid;
+    } LocalSystem;
+    struct
+    {
+        SID Sid;
+        ULONG ExtraAuthority;
+    } BuiltinAdministrators;
+    struct
+    {
+        SID Sid;
+    } HighLabel;
+    ULONG SidSize = sizeof(LocalSystem);
+    if (!NT_SUCCESS(Status = SecLookupWellKnownSid(WinLocalSystemSid, &LocalSystem.Sid, SidSize, &SidSize)))
+        return Status;
+    SidSize = sizeof(BuiltinAdministrators);
+    if (!NT_SUCCESS(
+            Status = SecLookupWellKnownSid(WinBuiltinAdministratorsSid, &BuiltinAdministrators.Sid, SidSize, &SidSize)))
+        return Status;
+    SidSize = sizeof(HighLabel);
+    if (!NT_SUCCESS(Status = SecLookupWellKnownSid(WinHighLabelSid, &HighLabel.Sid, SidSize, &SidSize)))
         return Status;
-    *RtlSubAuthoritySid(&LocalSystem, 0) = SECURITY_LOCAL_SYSTEM_RID;
     struct
     {
         ACL Dacl;
-        ACCESS_ALLOWED_ACE AceFiller;
-        SID SidFiller;
+        ACCESS_ALLOWED_ACE Ace1;
+        SID Sid1;
+        ACCESS_ALLOWED_ACE Ace2;
+        SID Sid2;
     } DaclStorage = { 0 };
+    struct
+    {
+        ACL Sacl;
+        SYSTEM_MANDATORY_LABEL_ACE Ace;
+        SID Sid;
+    } SaclStorage = { 0 };
     if (!NT_SUCCESS(Status = RtlCreateAcl(&DaclStorage.Dacl, sizeof(DaclStorage), ACL_REVISION)))
         return Status;
+    if (!NT_SUCCESS(Status = RtlCreateAcl(&SaclStorage.Sacl, sizeof(SaclStorage), ACL_REVISION)))
+        return Status;
     ACCESS_MASK AccessMask = GENERIC_ALL;
     RtlMapGenericMask(&AccessMask, IoGetFileObjectGenericMapping());
-    if (!NT_SUCCESS(Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &LocalSystem)))
+    if (!NT_SUCCESS(Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &LocalSystem.Sid)))
+        return Status;
+    if (!NT_SUCCESS(
+            Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &BuiltinAdministrators.Sid)))
+        return Status;
+    if (!NT_SUCCESS(RtlAddMandatoryAce(
+            &SaclStorage.Sacl,
+            ACL_REVISION,
+            0,
+            &HighLabel.Sid,
+            SYSTEM_MANDATORY_LABEL_ACE_TYPE,
+            SYSTEM_MANDATORY_LABEL_NO_READ_UP | SYSTEM_MANDATORY_LABEL_NO_WRITE_UP |
+                SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP)))
         return Status;
     SECURITY_DESCRIPTOR SecurityDescriptor = { 0 };
     if (!NT_SUCCESS(Status = RtlCreateSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION)))
         return Status;
     if (!NT_SUCCESS(Status = RtlSetDaclSecurityDescriptor(&SecurityDescriptor, TRUE, &DaclStorage.Dacl, FALSE)))
         return Status;
+    if (!NT_SUCCESS(Status = RtlSetSaclSecurityDescriptor(&SecurityDescriptor, TRUE, &SaclStorage.Sacl, FALSE)))
+        return Status;
     SecurityDescriptor.Control |= SE_DACL_PROTECTED;
     ULONG RequiredBytes = 0;
     Status = RtlAbsoluteToSelfRelativeSD(&SecurityDescriptor, NULL, &RequiredBytes);
author	Jason A. Donenfeld <Jason@zx2c4.com>	2021-06-24 12:10:12 +0200
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2021-06-25 14:09:16 +0200
commit	b3bf490434c78b565c369064f371788eaecace35 (patch)
tree	6fd02ca4be366d9b23b7b1eac362cb5ea70b1d0e
parent	driver: specify pnplockdown in inf (diff)
download	wintun-b3bf490434c78b565c369064f371788eaecace35.tar.xz wintun-b3bf490434c78b565c369064f371788eaecace35.zip